Agencies settling in on better privacy controls

Agencies are treating privacy today like they treated cybersecurity three or five
years ago.

They realize it's important. They realize they have to do it. But they aren't
exactly sure how and what it means to apply privacy to data.

"Privacy is a management issue. It's a classic risk management issue in the same
way that cybersecurity issues are risk management issues and in the same way
business expenditures are risk management issues," said Peter Miller, the chief
privacy officer at the Federal Trade Commission, during a presentation at ACT-
IAC's forum on cybersecurity and privacy in Washington Tuesday. "In order to do an
effective job, you have to accurately identify the risks that are involved. Again,
that talks about how you actually handle the risks associated and the issues, and
is privacy actually involved?"

Like many experts preached for the last decade and still do today around
cybersecurity, agencies need to consider privacy implications on the front end of
any new system, data collection or other activity.

More than a decade after Congress passed the last major law addressing privacy,
the E-Government Act of 2003, privacy issues are near the top of the list for many
agencies with the recent National Security Agency data collection revelations, as
well as the increased number of data breaches across the public and private
sectors.

Over the last 40 years, agencies haven't ignored privacy. The Privacy Act of 1974
still applies today. The E-Government Act included privacy updates and new
requirements, including the need for all agencies to do a privacy impact
assessment when there are new collections of, or new technologies applied to,
personally identifiable information.

And of course, the Office of Management and Budget required, as part of the E-
Government Act's implementation guidance, that each agency name a senior official
in charge of privacy.

Two faces of privacy

Some agencies named a person whose sole job is to be the chief privacy officer
(CPO), such as the departments of Homeland Security and Justice. But others have
added the CPO hat to their CIO or general counsel or assistant secretary for
management.

So now, 10 years after the E-Government Act, 40 years after the Privacy Act and in
the midst of recent data disclosures, agencies really are just beginning to
understand how they need to address privacy issues.

Miller said part of the challenge is privacy is both subjective and objective.

Privacy, in many ways, is hard to define because it means different things to
everyone. But there are rules and regulations that govern agency implementation
— most of which need to be updated because Congress and the White House
haven't kept them up with the changes in technology and how agencies use data.
This discussion is very similar to the debate around cybersecurity that's been
ongoing for the last three years between the administration and Congress.

Miller said the role of the CPO is similar to the role of a chief information
security officer, but less defined in some respects.

"I want to be the person to support the business operations in a positive way. So
privacy is never saying 'no.' Privacy is about saying 'yes' or 'yes, but there may
be some modifications to a particular project or particular application.' But not
something that actually stops an organization dead in the water," he said. "Of
course, the other issue we all deal with is, privacy is just one component of an
overall operation. So you have the IT piece, the business mission piece, you have
stakeholders, and you have all these different pressures on an organization. So
privacy can't always drive the process, but what it can do is inform the process."

A major role for the CPO is to convince the business owners about why privacy
needs to be considered on the front end of any program, again similar to the way
CISOs and CIOs were talking about cybersecurity three or five years ago.

Best practices available

Miller said the FTC is following several principles to improve its privacy
processes.

"It's important that you know the data. I think one of the things privacy puts a
real premium on is knowing where in an organization personal information resides,
and knowing how it's used and where it's used, and that's separate from the other
information an organization handles," he said. "One of the key issues for this, in
terms of knowing the organization's data, is being able to break it down in a way
that makes sense in terms of talking about it, identifying risks and moving on."